vitasha
Junior Member | Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору
Network Control Rules (типовые правила) Блокировка исходящих по протоколу IGMP: BLOCK IP OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO IS IGMP Общая блокировка всех входящих на 135, 445 порты: BLOCK TCP or UDP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [135,445] Разрешение NetBIOS в локальной сети: ALLOW TCP or UDP IN or OUT FROM IP ZONE:[Local Network1] TO IP ZONE:[Local Network] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 137-139 Разрешение ping'а в локальной сети: ALLOW ICMP OUT FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS ECHO REQUEST ALLOW ICMP IN FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED ALLOW ICMP IN FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS TIME EXCEEDED Блокировка портов 135, 137-139 (NetBIOS) и 445 в И-нет зоне: BLOCK TCP or UDP OUT FROM IP ZONE:[Internet Zone1] TO IP [Any] WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [Any] BLOCK TCP or UDP IN FROM IP [Any] TO IP ZONE:[Internet Zone] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [135,137,138,139,445] DNS Server: ALLOW UDP OUT FROM IP ZONE:[Internet Zone] TO IP DNS_server2 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 53 Web Browser: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [80,81,82,83,443] Mail Client: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [25,110,143,993,995] FTP Client: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP FTP_server3 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 21 ALLOW TCP IN FROM IP FTP_server TO IP ZONE:[Internet Zone] WHERE SOURCE PORT IS 20 AND DESTINATION PORT IS 1024-4999 для пассивного режима: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP FTP_server WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 1024-65535 ICQ Messenger: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [443,5190] Comodo Submit: ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP 195.92.253.141 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 21 ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP 195.92.253.141 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 1024-4999 Завершающее правило, блокирующее все: BLOCK and LOG4 TCP or UDP IN or OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS [Any] 1 Зоны предварительно создаются здесь: Tasks>Add/Remove/Modify a Zone ZONE:[Local Network] - диапазон адресов локальной сети (пример: 192.168.0.0-192.168.0.255) ZONE:[Internet Zone] - IP (диапазон IP), выделенный провайдером для выхода в И-нет. 2 Вместо DNS_server подставляется соответствующий DNS своего провайдера. 3 Вместо FTP_server подставляется соответствующий IP-адрес. 4 Для включения лога на правило нужно в его настройках поставить флажок у строки "Create an alert if this rule is fired" | Всего записей: 113 | Зарегистр. 17-05-2004 | Отправлено: 07:59 22-12-2005 | Исправлено: XenoZ, 15:15 10-12-2007 |
|